Use and Disclosure of Protected Health Information Policy

The Columbia University Healthcare Component (CUHC) is committed to protecting the privacy and security of Protected Health Information (PHI). CUHC may Use and Disclose PHI only as required or permitted under the Privacy Rule, and consistent with CUHC’s Notice of Privacy Practices.

When requesting, using, or disclosing PHI, CUHC will make reasonable efforts to limit the Use and Disclosure of PHI to the Minimum Necessary to accomplish the intended purpose(s) of the Use, Disclosure, or request.

Reason(s) for the Policy

To define how PHI may be Used and Disclosed consistent with applicable city, state, and federal regulatory requirements.

Primary Guidance To Which This Policy Responds

45 CFR 164.502—45 CFR 164.514

Who is Governed by This Policy

All CUHC workforce members.

Who Should Know This Policy

All CUHC workforce members.


CUHC may Use or Disclose PHI pursuant to and in compliance with a valid authorization. See the Health Information Management (HIM) Policy Authorization to Use or Disclose PHI Policy for more information.


CUHC shall Disclose PHI:

  • To a patient (or the patient’s personal representative), when requested, and as required by their right of access to their PHI in accordance with the HIPAA Privacy Rule and Patient Rights policy, and their right to be provided with an accounting of the Disclosures of their PHI, in accordance with the HIM Accounting of Disclosures Policy; and
  • When required by the Secretary to investigate or determine CUHC compliance with the Privacy Rule.

The CUHC may, but is not required to, Use and Disclose PHI without a patient’s authorization for the purposes set forth below:

Privacy and Confidentiality of PHI for Treatment, Payment, and Healthcare Operations

CUHC will protect the privacy of its patient’s PHI while allowing workforce members to Use and Disclose PHI for purposes of treatment, payment, or healthcare operations. CUHC may:

  1. Treatment
    • Use and Disclose a patient’s PHI to provide the patient with treatment or services. Treatment activities include the provision, coordination, or management of health care and related services, including the coordination or management of health care with a third party, consultation with other health care providers related to a patient, or the referral of a patient for health care to another health care provider.
    • Share a patient’s PHI with other departments within the covered healthcare component as long as the department is providing or has in the past provided services to the patient.
    • Disclose a patient’s PHI to physicians and other healthcare professionals who are involved in the patient’s care, including individuals or entities participating in an Organized Health Care Arrangement (“OHCA”) with CUHC.
    • Disclose PHI to another health care provider, for that provider’s treatment activities, in accordance with consent requirements under New York state law (see N. Y. Public Health Law § 18(6); N.Y. Education Law § 6530(23)). CUHC shall verify the identities and authority of other health care providers prior to disclosing PHI.
  2. Payment
    • Use and Disclose a patient’s PHI for payment for the treatment and services provided to the patient. Payment activities include providing or obtaining reimbursement for health care, determinations of eligibility or coverage, coordination of benefits, billing and collection activities.
    • Disclose a patient’s PHI to the patient’s health plan to obtain prior approval for treatment or to determine whether the patient’s plan will cover the treatment.
    • Disclose a patient’s PHI to other healthcare providers to facilitate the other healthcare provider’s billing and collecting efforts and as permitted by applicable law, including to other individuals or entities participating in an OHCA with CUHC. CUHC shall verify the identity and authority of the health care provider or other Covered Entities prior to disclosing PHI.
  3. Healthcare Operations
    • Use and Disclose a patient’s PHI for purposes of its own healthcare operations.
    • Aggregate patient information to decide what additional services should be offered, what services are not needed and whether certain new treatments are effective.
    • Combine the PHI in its possession with PHI from other healthcare providers in order to compare its performance with other like providers and make improvements in the care and services offered.
    • Disclose a patient’s PHI to other healthcare organizations as permitted by applicable law, including to other individuals or entities participating in an OHCA with CUHC.
    • If CUHC desires to have a third party aggregate its PHI with that of other Covered Entities for purposes of CUHC health care operations, as well as the other Covered Entities’ Health Care Operations, CUHC shall enter into a Business Associate Agreement with the third party in accordance with applicable federal and state law.
    • Examples of Healthcare Operation activities include but are not limited to:
      • Conducting quality assessments and improvement activities; or
      • Developing clinical guidelines conducting patient safety activities as defined in applicable regulations.


Family Members and Caregivers

Consistent with the Privacy Rule, CUHC may Disclose PHI to family members, other relatives, or close personal friends of the patient, or any other person identified by the patient if the PHI is directly relevant to such person’s involvement with the patient’s care or payment related to the patient’s care. CUHC also may Use or Disclose PHI to notify, or assist in the notification of a family member, a personal representative of the patient, or another caregiver of the patient, regarding the patient’s location, general condition, or death.

Limited Data Sets

CUHC may Use or Disclose a patient’s PHI as permitted by and in compliance with the Privacy Rule’s requirements regarding the use of Limited Data Sets.

Health and Safety

Subject to certain limitations in the Privacy Rule, to prevent a serious threat to health or safety, CUHC may release the minimum necessary PHI without the patient’s authorization to prevent a serious threat to health or safety if there exists a reasonable and good faith belief that:

  1. Disclosure is necessary to prevent or reduce a serious and imminent threat to the health or safety of the public.
    • The disclosure will be made only to a person or persons reasonably able to prevent or reduce the threat; and
    • The disclosure may be made to the individual associated with the threat.
  2. Disclosure is requested by law enforcement authorities and is necessary for them to identify or apprehend a suspect, fugitive, material witness or missing person. Only certain limited information may be shared in accordance with HIPAA and applicable state law.

Questions about whether a disclosure is required to prevent a serious threat to health or safety or what information may be disclosed should be directed to the Privacy Office.


Public Health Activities

CUHC may Use and Disclose PHI without the written authorization of the patient for certain specified public health activities and purposes, as permitted by the Privacy Rule, including disclosures to a device or pharmaceutical manufacturer regarding adverse events, product complaints or defects, product recalls, or for post-marketing surveillance.

Victims of Abuse, Neglect, or Domestic Violence

Subject to the Privacy Rule limitations, CUHC may Use and Disclose to authorized government authorities PHI that concerns child abuse victims or adult victims of abuse, neglect or domestic violence.


Health Oversight Activities

CUHC may release PHI to a Health Oversight Agency for limited oversight activities authorized by law, such as audits and investigations necessary for oversight of the health care system and government benefit programs.

Judicial or Administrative Proceedings

CUHC may Disclose PHI in the course of a judicial or administrative proceeding under the following circumstances:

  • Court process or administrative order: CUHC may Disclose PHI in compliance with, and limited by the relevant requirements of a court order or administrative tribunal order.
  • Subpoena, Discovery Request or Other Lawful Process: CUHC also may Disclose PHI in response to a subpoena, discovery request, or other lawful process not accompanied by a court order, but only if CUHC receives satisfactory assurances from the party requesting the information that the patient was given notice of the request or efforts were made to obtain a qualified protective order that restricts Use or Disclosure of the information to the proceeding for which it was requested and requires return or destruction of such information at the end of the litigation or proceeding. Satisfactory assurances are not required in limited circumstances specified in the Privacy Rule.


Law Enforcement

CUHC may Disclose PHI for a law enforcement purpose to law enforcement officials under certain circumstances specified by the Privacy Rule, including where required by law, where in compliance with certain administrative requests, for purposes of identifying or locating suspects, fugitives, material witnesses, or missing persons, and where requested by a law enforcement official about a patient suspected to be a crime victim.

Specialized Government Functions

CUHC may Use and Disclose PHI in various circumstances involving specialized government functions, including military and veterans’ activities, national security and intelligence activities, protective services for the president, and medical suitability determinations. Such uses and Disclosures of PHI must be in compliance with the requirements of the Privacy Rule.


Workers’ Compensation

CUHC may Disclose PHI as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs that are established by law and provide benefits for work-related injuries or illness regardless of fault.

State Law Limitations

The permissible Uses and Disclosures described in this Policy may be further limited by applicable state law, particularly for sensitive conditions (e.g., HIV/AIDS, genetic information, substance abuse, mental health, STDs, pregnancy and family planning). For example, under New York law, there are additional restrictions for certain types of sensitive information and conditions such as genetic information and HIV/AIDs information. For uses or disclosures involving such information, appropriate patient consent and/or review by the Privacy Officer may be required. Certain otherwise permissible uses and disclosures, including disclosures to other providers outside the OHCA, may also require consent under New York law.

Genetic Information (See NY Civil Rights Law 79-l)

The patient’s genetic information may be used or disclosed only for assessing or managing the patient’s health, for providing treatment, or if the patient has signed an informed written consent to participate in an approved research study. For research, the genetic information disclosed will be used only as research information in an approved research protocol.

A patient’s genetic information will not be disclosed without obtaining a written authorization from the patient unless required by applicable law or for certain approved reasons including but not limited to the following:

  1. to establish parentage;
  2. to determine the presence of metabolic disorders in a newborn by testing conducted pursuant to newborn screening and protocols;
  3. to furnish genetic information relating to a decedent of a blood relative of the decedent for the purpose of medical diagnosis;
  4. in connection with a criminal investigation or prosecution;
  5. required under specific order of a state or federal court;
  6. for identification of the individual; or
  7. for identification of human remains.


HIV and AIDS Information (See New York Public Health Law § 2782)

HIV/AIDS information is protected by, and may be used and disclosed only in accordance with, applicable city, state, and federal laws and regulations.

Prior to conducting an HIV-related test of an individual, the patient’s healthcare provider will obtain an appropriate informed consent provided the patient has the capacity to consent. If the patient does not have the capacity to consent, the patient’s healthcare provider will obtain informed consent from the person legally authorized to consent to healthcare on the patient’s behalf prior to performing the HIV-related test.



CUHC will recognize a person as the personal representative of a patient who is an adult or an emancipated minor if, under applicable law, the person has the authority to act on behalf of the patient in making decisions related to health care. This includes, but is not limited to, such persons as court appointed guardians and persons with health care power of attorney authority. Such persons will be treated as the patient’s personal representative only with respect to PHI that is relevant to the matters on which they are authorized to represent the patient.


Deceased Patients

CUHC will recognize as a personal representative of a deceased patient an executor, administrator, or other person who under applicable law has the authority to act on behalf of the deceased patient or the patient’s estate. Such persons will be treated as the patient’s personal representative only with respect to PHI that is relevant to the matters on which they are authorized to represent the patient.



If under applicable law, a parent, guardian, or other person acting in loco parentis has authority to act on behalf of a patient who is an unemancipated minor in making decisions related to health care, CUHC shall treat such person as a personal representative with respect to PHI relevant to such personal representation. However, HIPAA provides individuals with certain rights related to their PHI, including the right to request their PHI be kept confidential. Although minors do not generally have the authority to exercise rights on their own behalf, state law and HIPAA provide minors with the authority to exercise control over certain categories of their own PHI.

In accordance with New York State Public Health law, a minor over the age of twelve (12) may seek and receive the following types of health care services independently from his/her personal representative (Parental consent is not required):

  1. HIV/AIDS testing and treatment;
  2. Testing and treatment for venereal and sexually transmissible diseases;
  3. Pregnancy and pre-natal care;
  4. Abortion;
  5. Chemical dependency services; and
  6. Mental health outpatient services.

The minor’s personal representative does not have a right to the minor’s PHI if the minor alone consented to the treatment, unless the minor authorizes the release.


Exceptions to Disclosure to Personal Representatives

CUHC may choose to not treat a person as a personal representative if a workforce member has a reasonable belief of any of the following:

  • The patient has been or may be subjected to domestic violence, abuse, or neglect by such person, and in the exercise of professional judgment, CUHC decides that it is not in the best interest of the patient to treat the person as the patient’s personal representative; or
  • Treating such person as the personal representative could endanger the patient, and in the exercise of professional judgment, CUHC decides that it is not in the best interest of the patient to treat the person as the patient’s personal representative.


Subject to certain exceptions described in the Privacy Rule, prior to disclosing PHI to a person requesting access to PHI, if the identity or authority of such person under the Privacy Rule to access PHI is not known, a workforce member shall verify the person’s identity and authority. CUHC also shall confirm that the disclosure is permissible under the Privacy Rule and obtain documentation, statements, or representations from the person requesting the PHI when such documentation, statement, or representation is a condition of the disclosure under the Privacy Rule.

Releases of PHI to Coroners, Medical Examiners, and Funeral Directors

CUHC may disclose a patient’s PHI to coroners and medical examiners for the purposes of identifying a deceased person, determining a cause of death, or other duties as authorized by law. CUHC also may disclose PHI to funeral directors, consistent with applicable law, as necessary for the funeral directors to carry out their duties concerning the decedent. Prior to making a disclosure, CUHC shall verify the identity and authority of the individual making the request.

  1.  CUHC will disclose only the minimum amount of PHI necessary to meet the purpose of the request.
  2. Specially protected PHI, including HIV/AIDS information and genetic information, will be disclosed in accordance with applicable regulatory requirements.


Confidentiality of Psychotherapy and Personal Notes

Psychotherapy notes are considered the property of the healthcare provider who created them and will not be disclosed to patients or otherwise used or disclosed without patient authorization other than (i) for treatment by the originator of the notes; (ii) for use in training programs where students, trainees or practitioners in mental health learn under supervision; (iii) for CUHC to defend itself in a legal action or other proceeding brought by the individual; or (iv) for other narrow purposes permitted by HIPAA and applicable New York state law.

Disclosure of Protected Health Information Required by Law

There are times when CUHC is required by law to Use or Disclose PHI (e.g., to report or provide PHI to local, state, or federal agencies or authorities or when responding to judicial or administrative requests for PHI). A patient’s authorization is not required for mandatory reporting and CUHC will not grant a patient’s request for restriction if the request would interfere with a mandatory reporting obligation. CUHC may Use or Disclose PHI without patient authorization in such circumstances, provided that the Use or disclosure complies with and is limited to the relevant requirements of the applicable law. If a Use or Disclosure required by law relates to victims of abuse, judicial or law enforcement purpose, it must also comply with the requirements outlined in the Privacy Rule for such Disclosures.


Organ Donation

CUHC may Disclose a patient’s PHI without written authorization to facilitate organ and tissue procurement, banking, and transplantation.

  1. Prior to making the disclosure, CUHC will verify the identity and authority of the individual making the request.
  2. CUHC will Disclose only the minimum amount of PHI necessary to meet the purpose of the request.
  3. Specially protected PHI, including HIV/AIDS information and genetic information, will be disclosed in accordance with respective regulatory requirements.

Disclosures of Protected Health Information Over the Telephone

Treatment information may only be disclosed to the patient or their authorized representative. Certain exceptions may apply.

In some situations, using the telephone to communicate with a patient or to respond to requests for a patient’s PHI is necessary or more convenient, than communicating via mail or requiring the patient to come to a CUHC healthcare facility for a face-to-face meeting. Workforce members should attempt to limit, to the extent practicable, PHI communicated over the telephone.  Before PHI is communicated over the telephone, workforce members are required to verify the identify of the individual.



The Use or Disclosure of PHI for research purposes is permitted in certain circumstances in accordance with established state and federal regulations.

Refer to the Columbia University Institutional Review Board Policy on the Privacy Rule and the Use of Health Information in Research (the “Research and HIPAA Policy”) for additional information.



CUHC may Use or Disclose a patient’s PHI as permitted by and in compliance with the Privacy Rule’s requirements regarding uses and disclosures of PHI for fundraising, and CUHC’s Fundraising and HIPAA policy.



In accordance with the Privacy Rule and CUHC’s Sale of Protected Health Information Policy, CUHC shall not directly or indirectly receive remuneration, including non-financial benefits such as in-kind benefits, in exchange for PHI, unless patient authorization is obtained or an applicable exception applies.

Disaster Relief

CUHC may Use or Disclose PHI to a disaster relief organization (e.g., Red Cross) for the purpose of coordinating notification efforts with such entity to notify or assist in the notification about a patient’s location, general condition, or death. The requirements for Disclosure of PHI still apply, unless CUHC (in its professional judgment) determines that meeting such requirements would interfere with the disaster relief organization’s ability to respond to the emergency circumstances. The Chief Privacy Officer will assume responsibility for coordinating and authorizing Disclosures to disaster relief agencies.


Business Associates

CUHC may disclose PHI to a Business Associate, and may allow a Business Associate to create, receive, maintain, or transmit PHI on its behalf, if CUHC obtains satisfactory assurances, in accordance with the Privacy Rule, that the Business Associate will appropriately safeguard the information.

Documentation of Disclosures

Documentation of disclosures made pursuant to this policy will be included in the patient’s medical record where required by HIPAA or applicable New York State law. See Accounting of Disclosures Policy.



CUHC is responsible for identifying those individuals or groups of individuals that require access to PHI to carry out their duties. For each person or group that is identified, CUHC must make a reasonable effort to limit access to the specific category or categories of PHI needed to perform their duties. CUHC will document workforce members’ access to PHI in accordance with established regulatory requirements.



Authorization: a written authorization to Use and/or Disclose an individual’s PHI that contains the elements required by the Privacy Rule and is signed by such individual.

Business Associate: a person who creates, receives, maintains or transmits PHI on behalf of, or provides services to, a Covered Entity or other Business Associate, as more particularly described in Section 160.103.

Columbia University Healthcare Component (CUHC) – Columbia University is a Hybrid Entity that has designated as its Healthcare Component (the Columbia University Healthcare Component) Columbia University Medical Center and the other colleges, schools, departments and offices of the University to the extent that they (i) provide treatment or health care services and engage in Covered Transactions electronically or (ii) receive Protected Health Information to provide a service to, or perform a function for or on behalf of, the Columbia University Healthcare Component.

Covered Entity – (i) a health plan, (ii) healthcare clearinghouse, or (iii) healthcare provider that transmits any health information in electronic form in connection with a Covered Transaction.

Disclosure with respect to PHI, the release, transfer, provision of access to or divulging in any manner of such PHI outside the entity holding the PHI.

Genetic information is any written or recorded individually identifiable health information resulting from genetic testing or medical evaluation to determine the presence or absence of genes that are associated with a statistically increased risk of developing a disease, disorder, or syndrome that is asymptomatic at the time of testing.

Protected Health Information (PHI) is individually identifiable health information:
(1) Except as provided in section (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium (includes paper and oral communications).
(2) Protected Health Information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years.

Psychotherapy Notes are notes that are recorded in any medium (e.g., on paper, electronically) by a mental health care provider who is documenting or analyzing the contents of conversation during a private counseling session or a group, joint or family counseling session and are kept separate from the rest of the patient’s medical record.

Use with respect to PHI, the sharing, employment, application, utilization, examination, or analysis of such PHI within an entity that maintains such PHI.

Workforce includes faculty, staff, students and other individuals whose conduct, the performance of work for CUHC is under the direct control of CUHC.